How to Install and Use TShark on Linux
TShark is the command-line version of the popular network protocol analyzer, Wireshark. It allows users to capture and analyze network traffic directly from the terminal, making it a powerful tool for troubleshooting network issues, monitoring traffic, or studying network protocols.
This guide will show you how to install and use TShark on Linux.
Installing TShark on Linux
TShark is available in the package repositories of most Linux distributions. Here’s how to install it on different systems:
Ubuntu/Debian: Run the following commands:
sudo apt update
sudo apt install tshark
During installation, you may be asked if non-superusers should be able to capture packets. This is optional but can be configured according to your preference.
Fedora: Use the dnf package manager:
sudo dnf install wireshark-cli
Arch Linux: For Arch-based distributions, you can install it via:
sudo pacman -S wireshark-cli
openSUSE: On openSUSE systems, install with:
sudo zypper install wireshark
Using TShark
Once installed, TShark can be used to capture and analyze network traffic. Below are some common commands to get you started.
1. Capture Live Network Traffic
To start capturing live network traffic, use the command:
sudo tshark
By default, this captures traffic on the first network interface. If you have multiple interfaces, you can specify which one to capture from using the -i flag.
For example, to capture on eth0, run:
sudo tshark -i eth0
2. Save Capture to a File
You can save your capture to a file for later analysis using the -w option:
sudo tshark -i eth0 -w capture.pcap
This saves the capture in the .pcap format, which can be opened with Wireshark or analyzed later using TShark.
3. Read from a Capture File
To read a previously saved .pcap file, use the -r option:
tshark -r capture.pcap
4. Filter Traffic
TShark allows you to apply capture filters to focus on specific types of traffic. For example, to capture only HTTP traffic, you can use:
sudo tshark -i eth0 -f “tcp port 80”
This filter ensures that only packets using port 80 (HTTP traffic) are captured.
5. Display Specific Fields
You can display specific packet fields with the -T and -e options. For instance, to show only the source and destination IP addresses from captured traffic:
sudo tshark -T fields -e ip.src -e ip.dst
6. View Capture Statistics
To get a summary of the traffic, you can use the -z option to display statistics. For example, to get protocol hierarchy statistics:
sudo tshark -z io,stat,0
Advanced Usage
TShark provides a rich set of features for advanced users, including:
Protocol analysis: Inspect specific protocols using display filters, such as tshark -Y “http.request”.
Decryption: Analyze encrypted traffic if you have the necessary keys (e.g., for SSL/TLS).
Scripting: Automate captures and analyses through scripts, making TShark a useful tool in large-scale network monitoring.
Conclusion
TShark is a robust and flexible tool for network analysis on Linux. By following this guide, you should now have TShark installed and understand how to perform basic captures and analyses. For deeper insights, consider exploring the official documentation to learn more about TShark’s advanced capabilities.
